{"id":519,"date":"2021-06-17T13:18:52","date_gmt":"2021-06-17T11:18:52","guid":{"rendered":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/?p=519"},"modified":"2021-09-29T08:05:01","modified_gmt":"2021-09-29T06:05:01","slug":"bitwarden-coffre-fort-numerique-auto-heberge","status":"publish","type":"post","link":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/bitwarden-coffre-fort-numerique-auto-heberge\/","title":{"rendered":"bitwarden – coffre fort num\u00e9rique auto h\u00e9berg\u00e9"},"content":{"rendered":"

\"bitwarden\"<\/p>\n

Bitwarden est un gestionnaire de mots de passe freemium et open source sous licence AGPL. Il permet de g\u00e9n\u00e9rer et de conserver des mots de passe de mani\u00e8re s\u00e9curis\u00e9e. Ces \u00e9l\u00e9ments sont prot\u00e9g\u00e9s par un seul et unique mot de passe appel\u00e9 \u00ab mot de passe ma\u00eetre \u00bb. Il existe une alternative auto h\u00e9bergeable c’est vaultwarden, une instance non officielle de Bitwarden. Ce tutoriel vous pr\u00e9sente l’installation compl\u00e8te sur Debian 10.<\/p>\n

<\/p>\n

Pr\u00e9-requis<\/h2>\n
apt update\napt upgrade\napt install git nano curl wget htop pkg-config openssl libssl1.1 libssl-dev\napt install build-essential\n<\/code><\/pre>\n
Installer Rust<\/h2>\n
Executer<\/p>\n
curl --proto '=https' --tlsv1.2 -sSf https:\/\/sh.rustup.rs | sh\n<\/code><\/pre>\n
Choisir<\/p>\n
1) Proceed with installation (default)\n<\/code><\/pre>\n
Activer l’environnement cargo sur votre compte utilisateur<\/p>\n
source $HOME\/.cargo\/env\n<\/code><\/pre>\n
Installer Node<\/h2>\n
Choisir votre m\u00e9thode d’installation<\/p>\n
Manuelle :<\/p>\n
# mkdir \/opt\/node\n# cd \/opt\/node\n# wget https:\/\/nodejs.org\/dist\/latest-v11.x\/node-v11.15.0-linux-x64.tar.xz\n# tar xJvf node-v11.15.0-linux-x64.tar.xz\n# ln -s \/opt\/node\/node-v11.15.0-linux-x64 \/opt\/node\/current\n<\/code><\/pre>\n
# echo 'export PATH=\/opt\/node\/bin:$PATH' &gt;&gt; ~\/.bashrc\n# export PATH=\/opt\/node\/bin:$PATH\n# which npm\n\/opt\/node\/current\/bin\/npm\n# npm i npm@latest -g\n<\/code><\/pre>\n
Automatique via package debian (https:\/\/github.com\/nodesource\/distributions#debinstall<\/a>)<\/p>\n
curl -fsSL https:\/\/deb.nodesource.com\/setup_12.x | bash -\napt-get install -y nodejs\n<\/code><\/pre>\n
Compiler bitwarden<\/h2>\n
Pr\u00e9-requis si vous voulez utiliser un serveur mysql \u00e0 la place du fichier nosql<\/p>\n
# apt install mariadb-server mariadb-client default-libmysqlclient-dev\n# systemctl start mariadb\n# mysql_secure_installation\n\n# mysql -u root -p\n\nuse mysql;\nupdate user set plugin='' where User='root';\nflush privileges;\nquit\n<\/code><\/pre>\n
# mariadb -u root -p\nEnter password:\nERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)\n<\/code><\/pre>\n
Depuis le passage en Debian 10, le fichier \/etc\/mysql\/debian.cnf a bascul\u00e9 sur le compte root sans MDP. Des erreurs vont apparaitront durant les scripts de maintenance de MariaDB (\/var\/log\/syslog)<\/p>\n
# more \/etc\/mysql\/debian.cnf\n...\nuser     = root\npassword =\n...\n[mysql_upgrade]\n...\nuser     = root\npassword =\n...\n<\/code><\/pre>\n
Remplacement du compte root<\/em> par debian-sys-maint<\/em> et ajout d’un mot de passe dans le fichier \/etc\/mysql\/debian.cnf<\/p>\n
sed -i 's\/root\/debian-sys-maint\/g' \/etc\/mysql\/debian.cnf\nsed -i 's\/password =\/password = cBHWZQ8D9twjFwkHjcoVFC9cG\/g' \/etc\/mysql\/debian.cnf\n<\/code><\/pre>\n
Le compte et le mdp pr\u00e9c\u00e9demment renseign\u00e9 dans le fichier \/etc\/mysql\/debian.cnf vont vous permettre de cr\u00e9er le compte dans MariaDB.<\/p>\n
# mariadb -u root -p\nCREATE USER 'debian-sys-maint'@'localhost' IDENTIFIED BY 'cBHWZQ8D9twjFwkHjcoVFC9cG';\nGRANT ALL PRIVILEGES ON *.* TO 'debian-sys-maint'@'localhost'  WITH GRANT OPTION;\nflush privileges;\nquit\n<\/code><\/pre>\n
Vous pouvez profiter du param\u00e9trage de mysql pour cr\u00e9er la base et les identifiants n\u00e9cessaire \u00e0 Bitwarden<\/p>\n
mariadb -u root -p\nCREATE DATABASE vaultwarden CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;\nCREATE USER 'vaultwarden'@'localhost' IDENTIFIED BY 'Bb8yDAvyKSCJ3CvdZAYAp9ZKp';\nGRANT ALL ON `vaultwarden`.* TO 'vaultwarden'@'localhost';\nFLUSH PRIVILEGES;\n<\/code><\/pre>\n
Afin de proc\u00e9der \u00e0 l’installation, il est judicieux de v\u00e9rifier les derni\u00e8res versions disponible \u00e0 cette adresse : https:\/\/github.com\/dani-garcia\/vaultwarden\/releases<\/a><\/p>\n
D\u00e9buter l’installation de Bitwarden<\/p>\n
# mkdir \/opt\/bitwarden\n\n# cd \/opt\/bitwarden\n\n# wget https:\/\/github.com\/dani-garcia\/vaultwarden\/archive\/refs\/tags\/1.22.2.tar.gz\n\n# tar xvf 1.22.2.tar.gz\n\n# cd vaultwarden-1.22.2\n\n# echo \"Si vous souhaitez compiler pour SQLITE, MYSQL, POSTGRESQL\n# cargo build --features sqlite,mysql,postgresql --release\n\n# echo \"Si vous souhaitez compiler pour SQLITE et MYSQL\n# cargo build --features sqlite,mysql --release\n\n# file target\/release\/vaultwarden\ntarget\/release\/vaultwarden: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID[sha1]=ef7d7d94c7f0d950e8da317bf4f0c81762f7aaaa, with debug_info, not stripped\n\n# echo \"Le binaire est stock\u00e9 dans le dossier target\/release\/vaultwarden\"\n# cp target\/release\/vaultwarden \/usr\/local\/bin\/bitwarden\n\n# useradd -m -d \/var\/lib\/bitwarden bitwarden\n# chmod 750 \/usr\/local\/bin\/bitwarden\n# chown root:bitwarden \/usr\/local\/bin\/bitwarden\n# mkdir -p \/var\/lib\/bitwarden\/{data,log}\n# chown -R bitwarden:bitwarden \/var\/lib\/bitwarden\/\n# chmod -R 750 \/var\/lib\/bitwarden\/\n# chown -R root:bitwarden \/etc\/bitwarden\/\n# chmod 770 \/etc\/bitwarden\/\n\n<\/code><\/pre>\n
Interface web vault<\/h2>\n
Afin de proc\u00e9der \u00e0 l’installation, il est judicieux de v\u00e9rifier les derni\u00e8res versions disponible \u00e0 cette adresse : https:\/\/github.com\/dani-garcia\/bw_web_builds\/releases<\/p>\n
apt install apache2 apache2-bin\na2enmod ssl http2 proxy proxy_http2 proxy_http rewrite headers\n<\/code><\/pre>\n
Exemple de virtualhost
\n<\/code><\/p>\n
<VirtualHost *:443>\nDocumentRoot \/var\/www\/vault\nServerAdmin postmaster@mondomaine.fr\nServerName vault.mondomaine.fr\nProtocols h2 h2c http\/1.1\n\n<If \"%{HTTP_HOST} != 'vault.mondomaine.fr'\">\n    Redirect \"\/\" \"https:\/\/vault.mondomaine.fr\"\n<\/If>\n\nSSLEngine on\n\n <Directory \/>\n    Options FollowSymLinks\n    AllowOverride None\n <\/Directory>\n\nProxyRequests     Off\nProxyPreserveHost On\nRequestHeader set X-Real-IP %{REMOTE_ADDR}s\n\nRewriteEngine On\nRewriteCond %{HTTP:Upgrade} =websocket [NC]\nRewriteRule \/notifications\/hub(.*) ws:\/\/127.0.0.1:3012\/ [P,L]\nProxyPass \/ http:\/\/127.0.0.1:8000\/\n\nLogLevel warn\nErrorLog ${APACHE_LOG_DIR}\/error-vault.mondomaine.fr.log\nCustomLog ${APACHE_LOG_DIR}\/access-vault.mondomaine.fr.log combined\n<\/VirtualHost>\n<\/code><\/pre>\n
cd \/var\/www\/\nmv vault vault.old\nwget https:\/\/github.com\/dani-garcia\/bw_web_builds\/releases\/download\/v2.21.1\/bw_web_v2.21.1.tar.gz\ntar xvfz bw_web_v2.21.1.tar.gz\nmv web-vault vault\nrm bw_web_v2.21.1.tar.gz\nchown -R www-data:www-data \/var\/www\/vault\/\n<\/code><\/pre>\n
Configuration<\/h2>\n
La compilation maintenant termin\u00e9, il faut passer \u00e0 la configuration :<\/p>\n
mkdir \/etc\/bitwarden\/\n\ncp \/opt\/bitwarden\/vaultwarden-1.22.2\/.env.template \/etc\/bitwarden\/bitwarden.conf\n\nsed -i 's\/'\"# ADMIN_TOKEN=.*\"'\/'\"ADMIN_TOKEN=$(tr -cd '[:alnum:]' < \/dev\/urandom | fold -w 49 | head -n 1)\"'\/' \/etc\/bitwarden\/bitwarden.conf\n\ngrep ^ADMIN_TOKEN \/etc\/bitwarden\/bitwarden.conf\nADMIN_TOKEN=X3yWhAMJhPJu5ISijayKUNBHyNoWW7ZjISXTILtwjdIsVrXmI\n\nsed -i \"s\/# WEB_VAULT_FOLDER=web-vault\/WEB_VAULT_FOLDER=\\\/var\\\/www\\\/vault\/\" \/etc\/bitwarden\/bitwarden.conf\n\nsed -i \"s\/# ROCKET_ADDRESS=0\\.0\\.0\\.0.*\/ROCKET_ADDRESS=127.0.0.1\/\" \/etc\/bitwarden\/bitwarden.conf\n\nsed -i \"s\/# WEBSOCKET_ENABLED=false\/WEBSOCKET_ENABLED=true\/\" \/etc\/bitwarden\/bitwarden.conf\n\nsed -i \"s\/# WEBSOCKET_ADDRESS=0.0.0.0\/WEBSOCKET_ADDRESS=127.0.0.1\/\" \/etc\/bitwarden\/bitwarden.conf\n\nsed -i \"s\/# DOMAIN=.*\/DOMAIN=https:\\\/\\\/vault.mondomain.fr\/\" \/etc\/bitwarden\/bitwarden.conf\n\nsed -i \"s\/# LOG_FILE=.*\/LOG_FILE=\\\/var\\\/lib\\\/bitwarden\\\/log\\\/bitwarden.log\/\" \/etc\/bitwarden\/bitwarden.conf\n\nsed -i \"s\/# LOG_LEVEL=.*\/LOG_LEVEL=warn\/\" \/etc\/bitwarden\/bitwarden.conf\n\nsed -i \"s\/# DATA_FOLDER=data\/DATA_FOLDER=\\\/var\\\/lib\\\/bitwarden\\\/data\/\" \/etc\/bitwarden\/bitwarden.conf\n<\/code><\/pre>\n
Pour SQLITE<\/p>\n
sed -i \"s\/# DATABASE_URL=data\\\/db.sqlite3\/DATABASE_URL=\\\/var\\\/lib\\\/bitwarden\\\/data\\\/db.sqlite3\/\" \/etc\/bitwarden\/bitwarden.conf\n<\/code><\/pre>\n
POUR MYSQL<\/p>\n
sed -i \"s\/# DATABASE_URL=mysql:\\\/\\\/user:password@host[:port]\\\/database_name\\\/DATABASE_URL=mysql:\\\/\\\/vaultwarden:Bb8yDAvyKSCJ3CvdZAYAp9ZKp@localhost\\\/vaultwarden\" \/etc\/bitwarden\/bitwarden.conf\n<\/code><\/pre>\n
Cr\u00e9er le service bitwarden via systemd<\/p>\n
vi \/etc\/systemd\/system\/bitwarden.service\n<\/code><\/pre>\n
[Unit]\nDescription=Bitwarden RS server (Rust Edition)\nDocumentation=https:\/\/github.com\/dani-garcia\/vaultwarden\n\n# Only sqlite\nAfter=network.target\n\n# MariaDB\n# After=network.target mariadb.service\n# Requires=mariadb.service\n\n# Mysql\n# After=network.target mysqld.service\n# Requires=mysqld.service\n\n# PostgreSQL\n# After=network.target postgresql.service\n# Requires=postgresql.service\n\n[Service]\n# The user\/group bitwarden_rs is run under. \nUser=bitwarden\nGroup=bitwarden\n# The location of the .env file for configuration\nEnvironmentFile=\/etc\/bitwarden\/bitwarden.conf\n# The location of the compiled binary\nExecStart=\/usr\/local\/bin\/bitwarden\n# Set reasonable connection and process limits\nLimitNOFILE=65535\nLimitNPROC=64\n# Isolate bitwarden from the rest of the system\nPrivateTmp=true\nPrivateDevices=true\nProtectHome=true\nProtectSystem=strict\n# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)\nWorkingDirectory=\/var\/lib\/bitwarden\nReadWriteDirectories=\/var\/lib\/bitwarden\n# Allow bitwarden to bind ports in the range of 0-1024\nCapabilityBoundingSet=CAP_NET_BIND_SERVICE\nAmbientCapabilities=CAP_NET_BIND_SERVICE\n\n[Install]\nWantedBy=multi-user.target\n<\/code><\/pre>\n
Valider, v\u00e9rifier et lancer le daemon<\/p>\n
systemctl daemon-reload\nsystemctl start bitwarden.service\nsystemctl enable bitwarden.service\nsystemctl status bitwarden.service\n<\/code><\/pre>\n
Exemple pour connecter votre bitwarden en cli<\/h1>\n
Sur macOC installer le client bitwarden cli<\/p>\n
brew install bitwarden-cli\n<\/code><\/pre>\n
Configurer votre site perso<\/p>\n
$ bw config server https:\/\/vault.mondomaine.fr\nSaved setting `config`.\n<\/code><\/pre>\n
Il ne vous reste qu’a vous logger<\/p>\n
$ bw login\n? Email address: moi@mondomaine.fr\n? Master password: [hidden]\nYou are logged in!\n\nTo unlock your vault, set your session key to the `BW_SESSION` environment variable. ex:\n$ export BW_SESSION=\"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"\n> $env:BW_SESSION=\"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"\n\nYou can also pass the session key to any command with the `--session` option. ex:\n$ bw list items --session xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n<\/code><\/pre>\n
Peupler la base utilisateur Bitwarden via un Active Directory<\/h2>\n
J’ai privil\u00e9gi\u00e9 de bloquer le domaine pour mon instance de Bitwarden, ainsi les utilisateurs cr\u00e9ent leur compte avec leur passphrase. Je n’utilise donc pas cet ex\u00e9cutable mais j’ai valid\u00e9 son fonctionnement.<\/p>\n
# cd \/opt\/bitwarden\n# git clone https:\/\/github.com\/ViViDboarder\/vaultwarden_ldap.git\n# cd vaultwarden_ldap\n# cp example.config.toml config.toml\n# cargo clean &amp;&amp; cargo build --release\n<\/code><\/pre>\n
R\u00e9f\u00e9rences<\/h1>\n